CISSP is a conceptual exam, that needs a reasonable, prudent guy with a managerial mindset. CISSP candidate needs to build their mentality around the following general bullet points and apply it on each and every domain. The list is by no means, a full list; you are kindly asked to add your comments, or debate and contradict those listed so that to build a more solid mindset for the exam and the real career life as well.
The list below is written by me from my humble experience in the info. sec and the CISSP study guides and expert inputs and ideas:
- Security can never and should never preempt safety. People are the utmost important asset in your organization.
- Info. Sec people are not the ultimate decision-makers; it suits them accurately to be described as reflectors who can represent their recommendations to the senior management regarding security initiatives.
-Senior management on the other side are ultimately responsible for approving, steering and overseeing security projects within their corporation.
-Security people should always be prudent, take initiatives and see what other people can't see.
-Your organization is not here to merely invest on security, it is in the market ONLY to make profit, security is just another function subject to ROI calculations. So your controls needs to be evaluated against these ROI calculations, so only the most cost effective controls are being selected.
-Security is all about maintaining the CIA triad, threats/risks against this triad should be assessed all the way down the security journey.
-Security is a PROGRAM which being broken into PROJECTS. You can not treat security as merely project.
- Your internal staff is the deadliest threat to your security, be aware of them.
-There's NO way you can totally eliminate risk, you will do your best efforts to mitigate it with the most cost effective manner.
-Be it, a technical control or physical control, building those controls around defense-in-depth methodologies is always the best thing to do for your organization.
-Complexity is security's biggest enemy. Make it simple.
-You can not install a firewall in your back server room and call it a day "we're safe now". Planning, Planning, Planning. A security program without a plan, is just mess, ad-hoc kind of thing, that leads only to one way: false sense of security.
-Risk assessment is about identifying threats and vulnerabilities to determine appropriate security controls. While risk analysis provides cost/benefit comparison to security controls (this is where qualitative/quantitative concepts applies). However only senior management will agree on those controls. Our part is to hand it to them.
-You can't tell your senior management "we are facing XSS attacks on our infrastructure so we need an application layer 7 firewall" the senior management only understand figures, numbers and charts.
-Every and any member of your organization is part of your security program umbrella (from the security guard up to the CEO).
-Relativity as it applies to physics, it also applied to info. sec. Security goals for military missions can't be the same as those of the Pizza restaurants. Also CIA triad is relative to each organization, e.g military facilities care more about the "C" of the triad, while finance and call centers care more about the triad's "I" and "A" respectively and so on.
-Security needs to be periodically (preferably annually) audited and refined. Some times your biggest enemy would be the "false sense of security".
-Training and awareness on security should be part of the security program and should never be underestimated.
-Compliance to the country laws and legislation surpasses those of the company.
-Ethics and morals is what makes a security guy a security guy.